Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials, Google Cloud Finds

The latest Google Cloud Threat Horizons Report underscores a fundamental evolution in cloud‑focused threat actors. By the second half of 2025, nearly half of all successful intrusions leveraged unpatched third‑party software, a stark contrast to the credential‑driven attacks that dominated earlier in the year. This pivot reflects attackers’ recognition that vulnerable application stacks provide a more reliable foothold than weak passwords, especially in environments where identity‑centric defenses are maturing.

At the heart of this shift is the React2Shell flaw (CVE‑2025‑55182), a critical remote‑code‑execution bug in React Server Components. Nation‑state groups linked to North Korea and China have weaponized the vulnerability, launching campaigns that compromised cloud workloads within 48 hours of public disclosure. The speed of exploitation—compressing a window that once spanned weeks into mere days—highlights the growing efficiency of exploit‑as‑a‑service platforms and the urgency for organizations to shorten their patch latency.

In response, Google Cloud urges a move away from manual, reactive patching toward automated, edge‑focused defenses. Deploying Web Application Firewall (WAF) rules that block known exploit patterns can neutralize threats before underlying software updates are applied. Coupled with centralized identity‑access controls and continuous posture monitoring, such automation reduces exposure and aligns with emerging best practices for cloud resilience. Enterprises that adopt these measures will be better positioned to mitigate the accelerating pace of vulnerability exploitation across multi‑cloud landscapes.